The surge of spam seemingly sent from AOL email accounts last week was the result of a serious data breach on AOL's internal network and systems, the company said yesterday (April 28). Two percent of AOL email accounts (approximately half a million users) may have been compromised, and all AOL users are strongly encouraged to change their passwords.
The admission came a week after floods of spam were discovered seemingly coming from AOL email addresses. The spam was sent to contacts in AOL users' address books and contained links for diet pills and Android malware.
At the time, AOL denied that the company's systems had been hacked into, and insisted that the spammers were "spoofing," or forging AOL users' email addresses, not actually accessing the accounts.
The second assertion turned out to be true, but it didn’t mesh with the denial of a data breach.
As security expert Graham Cluley pointed out last week, "this doesn't explain how the emails are being sent to genuine contacts of those particular AOL users – have the address books of AOL users or AOL's mail logs somehow fallen into the hands of malicious third parties?"
It turns out Cluley was right.
"AOL is investigating a security incident that involved unauthorized access to AOL's network and systems," the company's Apr. 28 blog posting reads.
The company said attackers got hold of AOL users' email addresses, home addresses, contact lists, encrypted (presumably hashed) passwords and encrypted answers to security questions.
Because the compromised passwords and security answers should be unreadable, AOL still believes the spammers did not actually access users' email accounts, but spoofed the return addresses in the spam messages instead. (The company didn't say what kind of hashing algorithm was used; several can be quite easy "cracked.")
"We believe that spammers have used this contact information to send spoofed emails that appeared to come from roughly 2 percent of our email accounts," yesterday's post said, connecting the breach to last week's spam.
Nevertheless, AOL is urging its users to change their passwords, and the security questions associated with those passwords, immediately. AOL users who use those passwords anywhere else should change them there as well.
Even if you're not an AOL user, you should still be on the lookout for emails that appear to come from an AOL address. Spammers can use breached data to send phishing emails that appear to come from a friend who uses an AOL account, but actually contain malicious links or attachments.